‘Magic’ Ransomware Is Based On Open-Source Code

Uploaded on 2017-01-18 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new ransomware based on open-source code has been spotted in the wild and it encrypts user files and ads ‘.magic’ extension to them, researchers warn.

Dubbed "Magic, the malware is based on open-source ransomware called eda2, which was created for educational purposes. The Magic Ransomware was created in C# and the masterminds behind it currently demand 1 Bitcoin from users looking to regain access to their data.

Ransomware has become a highly rewarding business for cyber-criminals, with some interested in building their own malware.

Adopting open-source ransomware is a fast way to do that, and the Magic ransomware is proof that perpetrators would do whatever it takes to achieve their nefarious goals.

Magic is the second ransomware discovered this month to have been built upon ransomware created for educational purposes. Recently, Trend Micro discovered that a newly created threat called Ransom_Cryptear.B was based on another educational ransomware publicly available, namely Hidden Tear, which was released as open source in August 2015 by Turkey-based hacker Utku Sen.

Hidden Tear code was used in other malware as well, including Linux.Encoder, which was discovered back in November to pack an encryption flaw that allowed researchers to crack its encryption algorithm.

Recently, Utku Sen said that he managed to break the encryption of Cryptear.B because he intentionally weakened the encryption in Hidden Tear fearing that cybercriminals might abuse it.

Based on the eda2 ransomware kit, the newly discovered Magic malware appears to be the work of low-skilled hackers, Bleeping Computer’s Lawrence Abrams explains in a blog post.

However, the kit includes all necessary code, ranging from ransomware executable to encryption algorithm and PHP web panel used as a Command & Control (C2) server for storing the encryption keys of victims.

Researchers haven’t yet established how Magic is being distributed, but assume manual distribution via hacked terminals services or remote desktop.

The ransomware stores the AES keys used to encrypt files on the C2 servers, but also uses an RSA public key to encrypt them before sending them to the server.

Because the actors using the Magic ransomware are not advanced enough, they use C2 servers hosted on free web sites services, which means that they can be easily taken down.

However, there’s a risk that the free web hosting provider may delete the decryption key databases before security researchers could access them, meaning that victims lose the ability to retrieve their keys.

The ransomware is capable of encrypting a wide array of file extensions and appends the .magic extension to any encrypted file, but it won’t encrypt files located in directories that contain the string $, C:\Windows, or c:\program. After completing the encryption process, it creates the deleteMyProgram.bat batch file and execute it, an operation that uses vssadmin.exe to clear the victim's Shadow Volume Copies and then delete the malware executable.

The ransomware also places ransom notes on the desktop, providing victims with information on what has happened and on what they need to do to decrypt their files.

The actors behind the ransomware use a static bitcoin payment address, which has had no payments sent to it as of yet.

Security Week:     Ransom Worm: The Next Level Of Cybersecurity:    Europol Warning: Crypto-Ransomware Threat:

 

« Drone Warriors Of The US Air Force
2017: Cybersecurity At A Turning Point »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

INCIBE-CERT

INCIBE-CERT

INCIBE-CERT is the reference security incident response center for citizens and private law entities in Spain

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

CipherMail

CipherMail

CipherMail provides email security products which allow organizations world wide to automatically protect their email against unauthorized access both in transit and at rest.

Exeon Analytics

Exeon Analytics

Exeon Analytics is a Swiss cyber security company that is specialized in detecting hidden data breaches and advanced cyber attacks.

Naukrigulf

Naukrigulf

Naukrigulf.com is one of the fastest growing job sites in the Gulf, with thousands of registered job seekers and a robust CV database across many sectors, including cybersecurity.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

TestArmy

TestArmy

TestArmy CyberForces provide you with a broad spectrum of cybersecurity services to test every aspect of your IT infrastructure security and software development process.

HENSOLDT Cyber

HENSOLDT Cyber

HENSOLDT Cyber introduces a paradigm shift to cyber security. Our products have been designed to ensure the integrity of embedded systems at the core: the operating system and the processor.

NSR

NSR

NSR provide trusted solutions that deliver positive business outcomes for our clients in cybersecurity and data protection challenges.

RedHunt Labs

RedHunt Labs

RedHunt Labs is a premier Cybersecurity Solutions provider, offering Attack Surface Management solution 'NVADR' and Penetration Testing services.

Lucata

Lucata

Lucata solutions support groundbreaking graph analytics and improved machine learning for organizations in financial services, cybersecurity, healthcare, pharmaceuticals, telecommunications and more.

Psybersafe

Psybersafe

Psybersafe is a hands-on, behaviour-changing training system that keeps your people and your business cyber safe.

Seedcamp

Seedcamp

Seedcamp identify and invest early in world-class founders attacking large and global markets through disruptive technology in areas including AI, cybersecurity, and Fintech.

SecurityBridge

SecurityBridge

SecurityBridge provide a cybersecurity connection between our customers’ IT departments, the forward-facing business services, and their SAP applications.

Manifest

Manifest

Manifest is a cybersecurity company dedicated to helping enterprises secure their software supply chains.

Gleam Cloud Security Solutions (GCSS)

Gleam Cloud Security Solutions (GCSS)

GCSS Security is an information security firm providing cyber security protection with a highly skilled and experienced team focused on technology that creates best-in-class customer experiences.